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CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI 

Lab 9 

Enabling SSH and HTTPS access to Cisco IOS Routers 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how enable 
SSH and HTTPS access to Cisco IOS routers. 

Lab Purpose: 

SSH and HTTPS are secure management protocols that are recommended for remotely 
accessing and managing Cisco IOS devices. It is imperative to understand the 
configuration tasks required to enable SSH access in the Cisco IOS software 
suite. 

Lab Difficulty: 

This lab has a difficulty rating of 5/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 10 minutes. 

Lab Topology: 

Please use the following topology to complete this lab: 



172.16.1.254/24 

NOTE: 


If you do not have a Host in your lab, you can simply substitute Host 1 for another router with an Ethernet 
interface and a default static route pointing to 172.16.1.2. 


Lab 9 Configuration Tasks 
Task 1: 

Configure the hostname on R2 and IP addressing as illustrated in the diagram. In addition, configure Host 1 with the 
IP address specified and a default gateway of 172.16.1.2. Verify that Host 1 can ping R2 successfully. 

Task 2: 

Configure R2 with the domain name howtonetwork.net. In addition to this, configure R2 so that is generates a 
2048-bit RSA key for maximum security. 

Task 3: 

Enable HTTPS support on R2. Ensure that only the 172.16.1.0/24 subnet can access the router via HTTPS. All 
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without using an ACL. 

Task 4: 

Configure a username of ccna with a password of security on R2. This user should have Level 15 access to the 
router. In addition, R2 should authenticate all HTTPS and SSH sessions using the local router database. 

Task 5: 

Verify your configuration by accessing R2 via HTTPS and SSH. 


Lab 9 Configuration and Verification 
Task 1: 

Router(config)#hostname R2 
R2(config)#interface fastethernetO/0 
R2(config-if)#ip address 172.16.1.2 255.255.255.0 

R2(config-if)#no shutdown 

R2(config-if)#exit 

R2(config)#exit 

R2# 


FT Command Prompt 


HMJ 


C:\>ipconfiy 
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Windows IP Configuration 



J 

Ethernet adapter* Local Area Connection 2: 



Connect ion—spec ific DNS 
IP Address. ...... 

Subnet Mask ...... 

Default Gateway .... 

Suffix . : 

. : 172.16.1.254 

. : 255.255.255.0 

. : 172.16.1.2 


Ethernet adapter 1111*6 less Network Connection: 



Media State ...... 


disconnected 


C:\>ping 172.16.1.2 




Pinging 172.16.1.2 with 32 bytes 

of data: 



Reply from 172.16.1.2: bytes-32 
Reply fron 172.16.1.2: bytes“32 
Reply fron 172.16.1.2: bytes-32 
Reply fron 172.16.1.2: bytes“32 

time“1ms TTL-25S 
time“1ms TTL“255 
time“1ms TTL“255 
time“1ms TTL“255 



Ping statistics for 172.16.1.2: 

Packets: Sent * 4. Received 
Approximate round ti*ip times in 
Minimum “ 1ms. Maximum ■ 1ms 

“ 4, Lost “ 0 <0x 
milli—seconds: 

, five rage * 1ms 

loss >. 


C:\>_ 
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Task 2: 


R2(config)#ip domain-name howtonetwork.net 
R2(config)#crypto key generate rsa 

The name for the keys will be: R2.howtonetwork.net 
Choose the size of the key modulus in the range of 360 to 2048 for your 
General Purpose Keys. Choosing a key modulus greater than 512 may take 


a few minutes. 







How many bits in the modulus L512J: 2048 
% Generating 2048 bit RSA keys, keys will be non-exportable... 


R2(config)#exit 

R2# 

R2#show crypto key mypubkey rsa 

% Key pair was generated at: 01:40:01 UTC Mar 1 2002 

Key name: TP-self-signed-3473940174 

Storage Device: private-config 

Usage: General Purpose Key 

Key is not exportable. 

Key Data: 

30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C8244F 
0BABB6A5 57E3A33E E6D3995A 495CF68F 7E131A62 67029197 10DF0FCB 6918CBD3 
B817C851 D4648C79 B882A863 7804CB89 84FB80D9 F1D86BE7 9C8292E1 61772425 
2490F4BE 0322C05C 9845153E 0A455075 E9BCC77A 19900C00 84F63219 6434915C 
0E821D54 42E1C8FB 4BE8A303 4E295401 B4377CDC 14AF720F 4C92DC70 A9020301 0001 
% Key pair was generated at: 08:01:11 UTC Marl 2002 
Key name: TP-self-signed-3473940174.server 
Temporary key 
Usage: Encryption Key 
Key is not exportable. 

Key Data: 

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D77959 F38BD5A2 
8584B71C 05919DC2 B33C3B3F 7024C5C2 45672D12 E3271AEE 763D42ED 3D7501E5 
2A335EEE 1E3591E1 72FF256A 04E488D0 F2ECEFA4 78240955 C0CA1BB0 04BC39F1 
6C915A7F 27833169 48F06FAA AA6F9278 40335603 260B5C0B 8B020301 0001 
% Key pair was generated at: 08:27:21 UTC Mar 1 2002 

Key name: R2.howtonetwork.net 
Storage Device: not specified 

Usage: General Purpose Key 
Key is not exportable. 

Key Data: 

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
00CE0214 97E827CC E6BAE894 ECD5E4BE 11172513 BDCA271E 79132E55 CE24C58C 
05D76DD5 3C675C8A 4CAE8DD6 3BD5BE9A 4EAC74D1 165DE340 5334A797 0B4FB5C6 
5654E0B8 5827EEEB 256C495C CCDA3E41 F8E2FB1C F81C3124 61F7C7F3 051FD914 
A1CEF9DA 38352EEC 0850E3F2 498DA640 1510D929 00556458 C49A42C2 9A15692D 
BB9B7BA6 C946B1DE AFB6151C 22CEAACE AAE3A56D 28676D2A C1227F88 394204AF 



827E7486 131E5E90 D3C8FA5A 7CFB2A3C E6E2645E 5347047F 28EAC93C 902D0CA7 


93BBA7F1 E8904054 73AC4AAC D408F729 927CADD2 0BCAF6D9 F54FFC96 9BF80FE6 
60805FE2 CDE1140D 2A33B883 E2537641 5B631CD4 0E42CDFB 90013487 EDA587F8 
29020301 0001 

Task 3: 

R2(config)#access-list 10 remark "This is my HTTPS ACL" 

R2(config)#access-list 10 permit 172.16.1.0 0.0.0.255 

R2(config)#access-list 10 deny any log 

R2(config)#ip http secure-server 

R2(config)#ip http access-class 10 

R2(config)#line vty 0 4 

R2(config-line)#transport input ssh 

R2(config-line)#exit 

R2(config)#exit 

R2# 

Task 4: 

R2(config)# username ccna privilege 15 secret security 
R2(config)#ip http authentication local 

R2(config)#line vty 0 4 

R2(config-line)#login local 

R2(config-line)#exit 

R2(config)#exit 

R2# 

Task 5: 

To verify SSH, you need an SSH client, such as Putty — for example: 





















Serial 


Close window on exit: 

O Always CD Never CD Only on clean exit 


About 


| Open 1 [ 


Cancel 



1 72.16.1.2 - PuTTY QBK 

login as: ccna 

Using keyboard-interactive authentication. 

Password: 

R2#| 


To verify HTTPS access, all you need is a simple Web Browser: 

























~^T 


Lab 9 Configurations 
R2 Configuration 

R2#show run 

Building configuration... 

Current configuration : 2666 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R2 
! 

boot-start-ma rker 
boot-end-ma rker 
! 

no logging console 


no aaa new-model 
no network-clock-participate slot 1 















no network-clock-participate wicO 
ip cef 


no ip domain lookup 
ip domain name howtonetwork.net 
! 

multilink bundle-name authenticated 
! 

! 

crypto pki trustpoint TP-self-signed-3473940174 
enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-3473940174 
revocation-check none 
rsakeypair TP-self-signed-3473940174 
! 

! 

crypto pki certificate chain TP-self-signed-3473940174 
certificate self-signed 03 

3082024B 308201B4 A0030201 02020103 300D0609 2A864886 F70D0101 04050030 
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 33343733 39343031 3734301E 170D3032 30333031 30383330 
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373339 
34303137 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
8100C824 4F0BABB6 A557E3A3 3EE6D399 5A495CF6 8F7E131A 62670291 9710DF0F 
CB6918CB D3B817C8 51D4648C 79B882A8 637804CB 8984FB80 D9F1D86B E79C8292 
E1617724 252490F4 BE0322C0 5C984515 3E0A4550 75E9BCC7 7A19900C 0084F632 
19643491 5C0E821D 5442E1C8 FB4BE8A3 034E2954 01B4377C DC14AF72 0F4C92DC 
70A90203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 
551D1104 17301582 1352322E 686F7774 6F6E6574 776F726B 2E6E6574 301F0603 
551D2304 18301680 144020A0 822373EF EFCD379B 8C2A1A4D 1343842D 59301D06 
03551D0E 04160414 4020A082 2373EFEF CD379B8C 2A1A4D13 43842D59 300D0609 
2A864886 F70D0101 04050003 81810018 BD971958 6D275769 5ADFF84C 566F8F39 
857E730C 27B0E083 7DCF3C01 67BBEEAF 3CA291EF B92A711D C4D4AE49 A0C521CD 
2A09AC35 C1D0A813 86B326AD E4EBE346 50F79E63 D35A47AF F1C54CB1 74C0F6D1 
72547F28 EAE15C2C B7EB4944 C40B2FD8 050DF971 CE10C8DA 171E6161 FE0AAB91 



FCCFBFAO 8ACC608A C7D9799A 73F95A 


quit 

! 

! 

username ccna privilege 15 secret 5 $l$AMJ7$Jhs/IcLaJsecnzlaKZCI91 
archive 
log config 
hidekeys 

! 

! 

! 

! 

! 

! 

! 

interface FastEthernetO/O 
ip address 172.16.1.2 255.255.255.0 
duplex auto 
speed auto 
! 

interface Serial0/0 
no ip address 
! 

ip forward-protocol nd 
! 

! 

ip http server 
ip http access-class 10 
ip http authentication local 
ip http secure-server 
! 

access-list 10 remark "This is my FITTPS ACL" 
access-list 10 permit 172.16.1.0 0.0.0.255 
access-list 10 deny any log 
! 

! 

! 

! 



control-plane 


! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 
password cisco 

login local 
transport input ssh 
! 

! 

end 
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